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Combating  the 
Insider  Cyber  Threat 


The  penetration  of  US  national  security  by  foreign 
agents  as  weU  as  American  citizens  is  a  historical 
and  current  reality  that’s  a  persistent  and  increas¬ 
ing  phenomenon.  Surveys,  such  as  the  E- Crime 
Watch  Survey  (www.cert.org/archive/pdf/2004eCrimeWatch 


Summary.pdf),  reveal  that  current 
or  former  employees  and  contrac¬ 
tors  are  the  second  greatest  cy¬ 
bersecurity  threat,  exceeded  only 
by  hackers,  and  that  the  number 
of  security  incidents  has  increased 
geometrically  in  recent  years.  The 
insider  threat  is  manifested  when 
human  behavior  departs  from  com¬ 
pliance  with  established  policies, 
regardless  of  whether  it  results 
from  malice  or  a  disregard  for  se¬ 
curity  policies.  The  types  of  crimes 
and  abuse  associated  with  insider 
threats  are  significant;  the  most  se¬ 
rious  include  espionage,  sabotage, 
terrorism,  embezzlement,  extor¬ 
tion,  bribery,  and  corruption.  Ma¬ 
licious  activities  include  an  even 
broader  range  of  exploits,  such  as 
copyright  violations,  negligent  use 
of  classified  data,  fraud,  unauthor¬ 
ized  access  to  sensitive  informa¬ 
tion,  and  illicit  communications 
with  unauthorized  recipients. 

The  “insider”  is  an  individual 
currently  or  at  one  time  authorized 
to  access  an  organization’s  infor¬ 
mation  system,  data,  or  network; 
such  authorization  implies  a  de¬ 
gree  of  trust  in  the  individual.  The 
insider  threat  refers  to  harmful  acts 
that  trusted  insiders  might  carry 
out;  for  example,  something  that 
causes  harm  to  the  organization,  or 


an  unauthorized  act  that  benefits 
the  individual.  A  1997  US  Depart¬ 
ment  of  Defense  (DoD)  Inspec¬ 
tor  General  report1  found  that  87 
percent  of  identified  intruders  into 
DoD  information  systems  were  ei¬ 
ther  employees  or  others  internal 
to  the  organization.  More  gener¬ 
ally,  recent  studies  of  cybercrime 
(such  as  the  2004  through  2006 
E-Crime  Watch  Surveys;  www.cert. 
org/archive/)  in  both  government 
and  commercial  sectors  reveal  that 
although  the  proportion  of  insid¬ 
er  events  is  declining  (31  percent 
in  2004  and  27  percent  in  2006), 
the  financial  impact  and  operat¬ 
ing  losses  due  to  insider  intrusions 
are  increasing.  Of  those  compa¬ 
nies  experiencing  security  events, 
the  majority  (55  percent)  report  at 
least  one  insider  event  (up  from  39 
percent  in  2005). 

In  this  article,  we’ll  focus  on 
the  need  for  effective  training  to 
raise  staff  awareness  about  insider 
threats  and  the  need  for  organi¬ 
zations  to  adopt  a  more  effective 
approach  to  identifying  potential 
risks  and  then  taking  proactive 
steps  to  mitigate  them. 

Training  research 

To  help  staff,  management,  and 
human  resource  personnel  under¬ 
stand  the  social-behavioral  factors 


and  technical  issues  underlying 
insider  threats,  training  on  insider 
threat  awareness  and  mitigation 
must  be  flexible  and  customiz¬ 
able  to  different  roles  and  respon¬ 
sibilities.  It  should  also  be  highly 
relevant  and  realistic  and  address 
privacy  and  legal  issues.  The  ques¬ 
tion  of  how  to  effectively  convey 
such  complex  knowledge  and  skills 
is  tied  to  fundamental  instruction¬ 
al  systems  design  (ISD)  issues  with 
philosophical  and  theoretical  roots 
to  theorists  such  as  Jean  Piaget, 
John  Dewey,  and  Lev  Vygotsky,2 
who  argued  that  learning  contexts 
should  be  coupled  with  multiple 
opportunities  for  the  learner  to 
“construct”  or  discover  meaning 
in  the  material  (a  constructivist 
or  student-centered  instructional 
philosophy)  in  contrast  with  the 
behaviorist  or  instructor-centered 
approach  associated  with  tradi¬ 
tional  expository  instruction. 

Ongoing  research  at  each  of 
our  institutions  attempts  to  raise 
the  bar  in  both  training  and  insid¬ 
er  research  and  development. 

Pacific  Northwest 
National  Laboratory 

PNNL  has  focused  on  interactive 
training  in  a  variety  of  domains 
and  predictive  modeling  for  insid¬ 
er  threat  detection.  Specifically,  its 
researchers  have  developed  com¬ 
plex,  cognitive -based  instruction 
to  produce  workshops  and  hands- 
on  training,  interactive  computer- 
based  training  systems,  and  serious 
gaming  approaches,  blended  train¬ 
ing  techniques,3,4  and  research  on 
the  effectiveness  of  game -based 
training.5  For  cybersecurity,  an 
R&D  initiative  at  PNNL  (the  In- 
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formation  and  Infrastructure  In¬ 
tegrity  Initiative)  is  advancing 
research  on  predictive  and  adap¬ 
tive  systems,  including  a  project 
devoted  specifically  to  cyber  and 
behavioral  modeling  approaches 


Training 
solutions  in  the 
insider  threat  domain 

Recently,  the  authors  of  this  ar¬ 
ticle  came  together  to  advance 


The  MERIT  workshop  is  an  initial  step 


toward  more  effective  training  about 


insider  threat  risk  awareness  and  mitigation. 


to  mitigate  or  predict  malicious 
insider  exploits.6 

Carnegie  Mellon 
University/Software 
Engineering  Institute 
CERT  Program 

CERT  has  examined  more  than 
200  cases  of  insider  cybercrimes 
across  US  critical  infrastructure 
sectors,  focusing  on  both  techni¬ 
cal  and  behavioral  aspects.7,8  On¬ 
going  work  at  CERT  attempts 
to  find  effective  mechanisms  for 
communicating  the  results  of  this 
research  to  practitioners  in  govern¬ 
ment  and  industry  through  inte¬ 
grative  models  of  the  problem,9,10 
case  studies  and  assessment  of  best 
practices,11  and  interactive  instruc¬ 
tional  cases  and  games  in  which 
players  are  challenged  to  identify 
insider  threat  risks  and  take  steps 
to  mitigate  them.12  (See  www.cert. 
org/insider_threat/  for  a  fuller  de¬ 
scription  of  CERT’s  insider  threat 
research.) 

US  Air  Force 
Research  Laboratory 

The  AFRL  has  conducted  con¬ 
siderable  research  into  different 
approaches  to  training  cognitive 
skills,  to  define  better  methods 
for  measuring  job  skills  as  well  as 
evaluate  training  programs.  Ad¬ 
ditionally,  it  recently  conducted 
a  workshop  to  examine  ways  to 
incorporate  storytelling  into  in¬ 
struction,  the  results  of  which 
could  help  those  who  want  to 
instruct  managers  about  insider 
threats  via  games. 


their  collective  approaches  and 
ideas  to  suggest  innovative  train¬ 
ing  solutions  for  the  insider  threat 
problem;  an  initial  outcome  is 
the  preparation  of  this  article.  As 
we  noted  earlier,  there’s  currently 
a  paucity  of  training  on  insider 
threat  for  individuals  with  dif¬ 
ferent  roles  and  responsibilities 
within  organizations.  Although 
this  problem  is  increasingly  ac¬ 
knowledged  within  government 
and  industry,  much  remains  to  be 
done.  At  the  very  least,  the  field 
needs  more  workshops  and  train¬ 
ing  courses  to  raise  the  awareness 
of  management  and  human  re¬ 
sources  personnel  about  behavior¬ 
al  indicators  and  how  to  decrease 
risk;  policies  must  be  established 
to  provide  guidance  for  staff  and 
management  alike;  and  effective 
training  is  needed. 

Workshops 

Past  research  on  insider  threats 
has  shown  that  managing  insider 
threat  risks  within  an  organiza¬ 
tion  is  an  extremely  complex  task 
characterized  by  limited  infor¬ 
mation,  complex  feedback  rela¬ 
tionships,  conflicting  goals,  and 
uncertain  causal  relationships.  To 
address  this,  CERT  developed 
an  insider  threat  education  and 
awareness  workshop  called 
MERIT  (Management  and  Ed¬ 
ucation  of  the  Risks  of  Insider 
Threat)9  and  the  materials  pre¬ 
sented  at  the  Computer  Security 
Institute’s  conference  in  Novem¬ 
ber  2006  (www.cert.org/archive/ 
pdf/CSInotes.pdf)  based  on  pre¬ 


vious  empirical  research  on  in¬ 
sider  threats  conducted  at  CERT 
and  elsewhere. 

The  MERIT  workshop  focus¬ 
es  on  insider  IT  sabotage  and  has 
the  following  structure: 

•  overview  of  empirical  research 
on  insider  threat; 

•  interactive  discussion  of  the 
instructional  case  of  insider  IT 
sabotage; 

•  general  observations  from  case 
data; 

•  system  dynamics  model  (prob¬ 
lem,  prevention,  and  mitiga¬ 
tion);  and 

•  recommendations  for  counter¬ 
ing  threats. 

Our  case  study  research  and 
system  dynamics  modeling  ap¬ 
proach  have  helped  to  broaden 
our  understanding  of  the  insider 
threat  problem  and  possible  lever¬ 
age  points  for  its  mitigation.  We 
therefore  characterize  our  offer¬ 
ing  as  a  workshop,  rather  than 
training,  to  emphasize  that  it  fo¬ 
cuses  on  interactive  education  and 
raising  awareness  of  how  organi¬ 
zations  can  mitigate  the  problem. 

Games 

The  MERIT  workshop  is  an 
initial  step  toward  more  ef¬ 
fective  training  about  insider 
threat  risk  awareness  and  mitiga¬ 
tion.  As  Figure  1  shows,  CERT 
also  aims  to  bring  the  benefits 
of  serious  game  technology  to 
bear  on  the  challenge  of  insider 
threat  education.  In  collabora¬ 
tion  with  Carnegie  Mellon’s  En¬ 
tertainment  Technology  Center, 
CERT  built  a  proof-of-concept 
game,  called  MERIT  Interac¬ 
tive,  that  immerses  players  in  a 
realistic  business  setting  from 
which  they  make  decisions  about 
how  to  prevent,  detect,  and  re¬ 
spond  to  insider  actions  and  see 
how  their  decisions  impact  key 
performance  metrics.  It  provides 
a  team-oriented,  role-playing 
experience  using  model-based 


62 


IEEE  SECURITY  &  PRIVACY  ■  JANUARY/FEBRUARY  2008 


Education 


simulation  of  critical  aspects  of 
insider  threat  risk  management 
in  a  realistic  organizational  con¬ 
text.  Team  orientation  is  critical 
because  organizations  typically 
identify  these  problems  at  an  or¬ 
ganizational  enterprise  level  rath¬ 
er  than  an  individual  manager  or 
department  level.  Role  playing 
is  also  crucial  because  solutions 
generally  require  collaboration 
among  multiple  stakeholders;  role 
playing  helps  players  understand 
and  acquire  the  necessary  skills. 

CERT  is  currently  modifying 
the  MERIT  system  dynamics  mod¬ 
el  to  serve  as  a  back-end  engine  for 
MERIT  Interactive.  This  should 
help  transfer  any  insights  the  model 
provides  into  MERIT  Interactive’s 
learning  objectives.  Then,  experi¬ 
ments  will  be  carried  out  to  assess 
the  extent  to  which  players  have 
learned  important  lessons  about  the 
insider  threat  domain.  We  believe 
MERIT  Interactive  will  ultimately 
help  decision-makers  better  un¬ 
derstand  the  effects  their  decisions 
have  on  risk — both  its  promotion 
and  mitigation. 

Clearly,  a  critical  need  exists 
for  more  effective  organizational 
strategies  to  combat  and  prevent 
insider  abuses.  A  complete  and 
effective  insider  threat  mitigation 
strategy  must  take  into  account 
human  motivations  and  behaviors 
along  with  organizational  factors 
such  as  policies,  hiring,  and  train¬ 
ing  practices,  and  the  technical 
vulnerabilities  and  best  practices 
for  prevention  or  early  detection 
of  unauthorized  insider  activity. 
We  must  conduct  program  evalu¬ 
ations  to  verify  that  we ’re  teaching 
the  right  lessons,  that  staff  behavior 
and  attitudes  reflect  those  training 
objectives,  and  that  organizations 
ultimately  benefit  from  these  or¬ 
ganizational  strategies. 

We  must  also  recognize  poten¬ 
tial  consequences  and  ethical  issues 
surrounding  possible  mitigation 
strategies  that  could  constrain  us¬ 
ers  or  systems  or  negatively  im¬ 
pact  productivity — for  example, 


Learning  objectives 


Figure  1.  The  MERIT  Interactive  approach  provides  a  team-oriented,  role-playing  experience 
using  model-based  simulation  of  critical  aspects  of  insider  threat  risk  management.  Informed  by 
actual  case  studies,  the  simulated  scenarios  challenge  players  to  understand  and  solve  relevant 
problems  in  a  realistic  organizational  context. 


organizational  responses  to  insider 
threat  that  might  affect  employee 
morale,  or  legal  and  privacy  con¬ 
siderations  associated  with  planned 
policies  and  IT  measures.  Ulti¬ 
mately,  an  organization  must  find 
solutions  that  provide  a  proper 
balance  among  the  three  system 
components  of  its  response  to  in¬ 
sider  threats  (IT  tools  for  predictive 
defense,  organizational  policies 
and  practices,  and  management/ 
staff  training) .  □ 
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